Add "stores" to disallowed properties
Stores is image property which API uses to indicate which
stores (store IDs) contains the image. This also can be
set by user making it very confusing and potentially
catastrophic breaking for consumers.
This patch prevents that to happen.
Depends-on: https://review.opendev.org/#/c/744024/
Change-Id: I4eca092bd0a7cce1d6bbbd30685f4643cb4e7d1c
Closes-Bug: #1889676
(cherry picked from commit e1f0e94b90
)
This commit is contained in:
parent
b52a27360d
commit
69848bfc58
@ -710,7 +710,7 @@ class ImagesController(object):
|
||||
|
||||
class RequestDeserializer(wsgi.JSONRequestDeserializer):
|
||||
|
||||
_disallowed_properties = ('direct_url', 'self', 'file', 'schema')
|
||||
_disallowed_properties = ('direct_url', 'self', 'file', 'schema', 'stores')
|
||||
_readonly_properties = ('created_at', 'updated_at', 'status', 'checksum',
|
||||
'size', 'virtual_size', 'direct_url', 'self',
|
||||
'file', 'schema', 'id', 'os_hash_algo',
|
||||
|
@ -4310,6 +4310,13 @@ class TestImagesDeserializerNoAdditionalProperties(test_utils.BaseTestCase):
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
self.deserializer.create, request)
|
||||
|
||||
def test_neg_create_with_stores(self):
|
||||
self.config(allow_additional_image_properties=True)
|
||||
request = unit_test_utils.get_fake_request()
|
||||
request.body = jsonutils.dump_as_bytes({'stores': 'test'})
|
||||
self.assertRaises(webob.exc.HTTPForbidden,
|
||||
self.deserializer.create, request)
|
||||
|
||||
def test_update(self):
|
||||
request = unit_test_utils.get_fake_request()
|
||||
request.content_type = 'application/openstack-images-v2.1-json-patch'
|
||||
|
6
releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml
Normal file
6
releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Bug 1889676_: "stores" can be set as property breaking multistore indication of stores where the images are present
|
||||
|
||||
.. _1889676: https://bugs.launchpad.net/glance/+bug/1889676
|
Loading…
Reference in New Issue
Block a user